Wordfence Intelligence Weekly WordPress Vulnerability Report (November 20, 2023 to November 26, 2023)

🎉Wordfence just launched its bug bounty program. For the first 6 months, all awarded bounties receive a 10% bonus. View the announcement to learn more now!

Last week, there were 115 vulnerabilities disclosed in 87 WordPress Plugins and 1 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 39 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Indivudals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.


Total Unpatched & Patched Vulnerabilities Last Week

Patch Status Number of Vulnerabilities
Unpatched 39
Patched 76

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating Number of Vulnerabilities
Low Severity 3
Medium Severity 90
High Severity 18
Critical Severity 4

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 33
Cross-Site Request Forgery (CSRF) 26
Missing Authorization 21
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) 7
Unrestricted Upload of File with Dangerous Type 5
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) 4
Information Exposure 3
Protection Mechanism Failure 2
Improper Authorization 2
Guessable CAPTCHA 2
Improper Privilege Management 1
Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’) 1
Improper Control of Generation of Code (‘Code Injection’) 1
Authorization Bypass Through User-Controlled Key 1
Exposure of Sensitive Data Through Data Queries 1
Authentication Bypass Using an Alternate Path or Channel 1
URL Redirection to Untrusted Site (‘Open Redirect’) 1
Unverified Password Change 1
Incorrect Privilege Assignment 1
Use of Less Trusted Source 1

Researchers That Contributed to WordPress Security Last Week

Researcher Name Number of Vulnerabilities
István Márton
(Wordfence Vulnerability Researcher)
14
Rafie Muhammad 10
Nguyen Xuan Chien 9
Abdi Pranata 7
Dave Jong 6
Mika 4
Dmitrii Ignatyev 4
Dimas Maulana 3
Joshua Chan 3
Jesse McNeil 3
thiennv 3
Ngô Thiên An (ancorn_) 2
Donato Di Pasquale 2
Francesco Marano 2
Dateoljo of BoB 12th 2
Abu Hurayra (HurayraIIT) 2
Arvandy 2
qilin_99 2
Skalucy 2
lttn 1
Joost Grunwald 1
Bob Matyas 1
SeungYongLee 1
Tien fromVNPT-VCI 1
DoYeon Park (p6rkdoye0n) 1
Le Ngoc Anh 1
Vladislav Pokrovsky (ΞX.MI) 1
Song Hyun Bae 1
resecured.io 1
Naveen Muthusamy 1
Luqman Hakim Y 1
minhtuanact 1
Muhammad Daffa 1
Myungju Kim 1
Francesco Carlucci 1
Huynh Tien Si 1
Marco Wotschka
(Wordfence Vulnerability Researcher)
1
Phd 1
Alex Sanford 1

 

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.


WordPress Plugins with Reported Vulnerabilities Last Week

Software Name Software Slug
AI ChatBot chatbot
ARI Stream Quiz – WordPress Quizzes Builder ari-stream-quiz
Abandoned Cart Lite for WooCommerce woocommerce-abandoned-cart
Accept Stripe Payments stripe-payments
Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy) wp-analytify
Auto Affiliate Links wp-auto-affiliate-links
Autocomplete Location field Contact Form 7 autocomplete-location-field-contact-form-7
Availability Calendar availability-calendar
Awesome Support – WordPress HelpDesk & Support Plugin awesome-support
BackWPup – WordPress Backup Plugin backwpup
BlossomThemes Email Newsletter blossomthemes-email-newsletter
Booster for WooCommerce woocommerce-jetpack
Bootstrap Shortcodes Ultimate bs-shortcode-ultimate
Broken Link Checker for YouTube broken-link-checker-for-youtube
Bulk Comment Remove bulk-comment-remove
Captcha Code captcha-code-authentication
CataBlog catablog
Chatbot for WordPress ⚡️ collectchat
Community by PeepSo – Social Network, Membership, Registration, User Profiles peepso-core
Consensu.io | Conformidade e Consentimento de Cookies para LGPD consensu-io
Contact Form Email contact-form-to-email
Contact Form to Any API contact-form-to-any-api
Debug Log Manager debug-log-manager
Display Custom Post display-custom-post
Drop Shadow Boxes drop-shadow-boxes
Easy Social Feed – Social Photos Gallery – Post Feed – Like Box easy-facebook-likebox
Easy Social Icons easy-social-icons
EventPrime – Events Calendar, Bookings and Tickets eventprime-event-calendar-management
Events Manager events-manager
Export any WordPress data to XML/CSV wp-all-export
Fast Custom Social Share by CodeBard fast-custom-social-share-by-codebard
File Manager – 100% Free & Open Source File Manager Plugin for WordPress | Bit File Manager file-manager
Floating Action Button floating-action-button
Frontier Post frontier-post
Grab & Save save-grab
HUSKY – Products Filter for WooCommerce Professional woocommerce-products-filter
Hide login page, Hide wp admin – stop attack on login page hide-login-page
Import Spreadsheets from Microsoft Excel import-spreadsheets-from-microsoft-excel
Landing Page Builder – Lead Page – Optin Page – Squeeze Page – WordPress Landing Pages page-builder-add
League Table league-table-lite
License Manager for WooCommerce license-manager-for-woocommerce
Link Whisper Free link-whisper
Login Lockdown – Protect Login Form login-lockdown
Mail Bank – #1 Mail SMTP Plugin for WordPress wp-mail-bank
Maspik – Spam Blacklist contact-forms-anti-spam
MyBookTable Bookstore by Stormhill Media mybooktable
Parallax Image parallax-image
Parcel Pro woo-parcel-pro
PayTR Taksit Tablosu – WooCommerce paytr-taksit-tablosu-woocommerce
Perfmatters perfmatters
Porto Theme – Functionality porto-functionality
Post Meta Data Manager post-meta-data-manager
Preloader for Website preloader-for-website
Quttera Web Malware Scanner quttera-web-malware-scanner
Salon booking system salon-booking-system
Seraphinite Post .DOCX Source seraphinite-post-docx-source
Simple Testimonials Showcase simple-testimonials-showcase
Simply Exclude simply-exclude
SpiderVPlayer player
Super Progressive Web Apps super-progressive-web-apps
Tainacan tainacan
Taxonomy filter taxonomy-filter
Team Members – A WordPress Team Plugin with Gallery, Grid, Carousel, Slider, Table, List, and More gs-team-members
TextMe SMS textme-sms-integration
The Events Calendar the-events-calendar
Theme Editor theme-editor
Theme My Login 2fa tml-2fa
TriPay Payment Gateway tripay-payment-gateway
UPS, Mondial Relay & Chronopost for WooCommerce – WCMultiShipping wc-multishipping
UserPro – Community and User Profile WordPress Plugin userpro
Video PopUp video-popup
WC Vendors – WooCommerce Multi-Vendor, WooCommerce Marketplace, Product Vendors wc-vendors
WCFM Marketplace – Best Multivendor Marketplace for WooCommerce wc-multivendor-marketplace
WP ALL Export Pro wp-all-export-pro
WP Child Theme Generator wp-child-theme-generator
WP Githuber MD – WordPress Markdown Editor wp-githuber-md
WP Mail Log wp-mail-log
WP Roadmap – Product Feedback Board wp-roadmap
Widgets for Google Reviews wp-reviews-plugin-for-google
WordPress Gallery Plugin – NextGEN Gallery nextgen-gallery
WordPress Job Board and Recruitment Plugin – JobWP jobwp
WordPress Pinterest Plugin – Make a Popup, User Profile, Masonry and Gallery Layout gs-pinterest-portfolio
Yoast SEO wordpress-seo
eDoc Employee Job Application – Best WordPress Job Manager for Employees edoc-employee-application
myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin mycred
salient-core salient-core
wpForo Forum wpforo

WordPress Themes with Reported Vulnerabilities Last Week

Software Name Software Slug
Enfold – Responsive Multi-Purpose Theme enfold

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

UserPro <= 5.1.1 – Authentication Bypass to Administrator

Affected Software: UserPro – Community and User Profile WordPress Plugin
CVE ID: CVE-2023-2437
CVSS Score: 9.8 (Critical)
Researcher/s: István Márton
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b3cf9f38-c20e-40dc-a7a1-65b0c6ba7925

UserPro <= 5.1.1 – Insecure Password Reset Mechanism

Affected Software: UserPro – Community and User Profile WordPress Plugin
CVE ID: CVE-2023-2449
CVSS Score: 9.8 (Critical)
Researcher/s: István Márton
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/de9be7bc-4f8a-4393-8ebb-1b1f141b7585

Porto Theme – Functionality <= 2.11.1 – Unauthenticated SQL Injection

Affected Software: Porto Theme – Functionality
CVE ID: CVE-2023-48738
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fabc7ad3-1d20-493f-aacb-1832d33d8e14

WP Child Theme Generator <= 1.0.8 – Authenticated (Administrator+) Arbitrary File Upload

Affected Software: WP Child Theme Generator
CVE ID: CVE-2023-47873
CVSS Score: 9.1 (Critical)
Researcher/s: Dateoljo of BoB 12th
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/49fcd2cb-d880-4152-a736-33fd90f07083

UserPro <= 5.1.1 – Cross-Site Request Forgery to Privilege Escalation

Affected Software: UserPro – Community and User Profile WordPress Plugin
CVE ID: CVE-2023-2440
CVSS Score: 8.8 (High)
Researcher/s: István Márton
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/73600498-f55c-4b8e-a625-4f292e58e0ee

WP Githuber MD <= 1.16.2 – Authenticated (Author+) Arbitrary File Upload

Affected Software: WP Githuber MD – WordPress Markdown Editor
CVE ID: CVE-2023-47846
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a6fda35d-8b82-4a7a-8db6-21dc38a841f4

Export any WordPress data to XML/CSV < 1.4.1 & WP ALL Export Pro < 1.8.6 – Cross-Site Request Forgery to Remote Code Execution

Affected Software/s: WP ALL Export Pro, Export any WordPress data to XML/CSV
CVE ID: CVE-2023-5882
CVSS Score: 8.8 (High)
Researcher/s: Donato Di Pasquale, Francesco Marano
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b70e8bce-1793-40f0-bdb1-100cf5f431e9

Link Whisper Free <= 0.6.5 – Authenticated (Contributor+) SQL Injection

Affected Software: Link Whisper Free
CVE ID: CVE-2023-47852
CVSS Score: 8.8 (High)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c5e26a56-bba0-4204-bcb7-c5ec123a9b2d

UserPro <= 5.1.4 – Authenticated (Subscriber+) Privilege Escalation

Affected Software: UserPro – Community and User Profile WordPress Plugin
CVE ID: CVE-2023-6009
CVSS Score: 8.8 (High)
Researcher/s: István Márton
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e8bed9c0-dae3-405e-a946-5f28a3c30851

UserPro <= 5.1.0 – Cross-Site Request Forgery to PHP Object Injection

Affected Software: UserPro – Community and User Profile WordPress Plugin
CVE ID: CVE-2023-2497
CVSS Score: 8.8 (High)
Researcher/s: István Márton
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fbb601ce-a884-4894-af13-dab14885c7eb

Export any WordPress data to XML/CSV < 1.4.1 & WP ALL Export Pro < 1.8.6 – Cross-Site Request Forgery to PHAR Deserialization

Affected Software/s: WP ALL Export Pro, Export any WordPress data to XML/CSV
CVE ID: CVE-2023-5886
CVSS Score: 8.8 (High)
Researcher/s: Alex Sanford
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fdc18341-135b-4522-a9db-510e4c4d9704

BackWPup <= 4.0.1 – Authenticated (Administrator+) Directory Traversal

Affected Software: BackWPup – WordPress Backup Plugin
CVE ID: CVE-2023-5504
CVSS Score: 8.7 (High)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e830fe1e-1171-46da-8ee7-0a6654153f18

WordPress Job Board and Recruitment Plugin – JobWP <= 2.1 – Sensitive Information Exposure

Affected Software: WordPress Job Board and Recruitment Plugin – JobWP
CVE ID: CVE-2023-48288
CVSS Score: 7.5 (High)
Researcher/s: Myungju Kim
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c73dbc40-ba54-4836-9bb1-a35f95d5a077

UserPro <= 5.1.1 – Missing Authorization via multiple functions

Affected Software: UserPro – Community and User Profile WordPress Plugin
CVE ID: CVE-2023-6007
CVSS Score: 7.3 (High)
Researcher/s: István Márton
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6c4f8798-c0f9-4d05-808e-375864a0ad95

License Manager for WooCommerce <= 2.2.10 – Authenticated (Administrator+) SQL Injection

Affected Software: License Manager for WooCommerce
CVE ID: CVE-2023-48742
CVSS Score: 7.2 (High)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/09597618-8695-4631-8c3b-4e7580d58c86

Login Lockdown <= 2.06 – Authenticated (Administrator+) SQL Injection

Affected Software: Login Lockdown – Protect Login Form
CVE ID: CVE Unknown
CVSS Score: 7.2 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/09773141-883b-40e3-bd20-d3115c02e023

WP Mail Log <= 1.1.2 – Authenticated (Editor+) SQL Injection via id

Affected Software: WP Mail Log
CVE ID: CVE Unknown
CVSS Score: 7.2 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/099cc754-6a56-498f-848a-a242733e7fb0

Salon booking system < 8.7 – Authenticated (Editor+) Privilege Escalation

Affected Software: Salon booking system
CVE ID: CVE-2023-48319
CVSS Score: 7.2 (High)
Researcher/s: lttn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0cac7f96-eb64-427d-9a95-b8bf1c675af0

CataBlog <= 1.7.0 – Authenticated (Editor+) Arbitrary File Upload

Affected Software: CataBlog
CVE ID: CVE-2023-47842
CVSS Score: 7.2 (High)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/18d1ba80-ddf6-4076-bc78-78647b964bcf

WC Vendors Marketplace <= 2.4.7 – Authenticated (Shop manager+) SQL Injection via search dates

Affected Software: WC Vendors – WooCommerce Multi-Vendor, WooCommerce Marketplace, Product Vendors
CVE ID: CVE-2023-48327
CVSS Score: 7.2 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/64f879af-aa8f-4edf-8369-ca032603d529

Theme Editor <= 2.7.1 – Authenticated (Administrator+) Arbitrary File Upload

Affected Software: Theme Editor
CVE ID: CVE-2023-6091
CVSS Score: 7.2 (High)
Researcher/s: Dateoljo of BoB 12th
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a6ede290-a6c4-4c13-872b-60c9601d39db

ChatBot <= 4.7.8 – Authenticated (Administrator+) SQL Injection

Affected Software: AI ChatBot
CVE ID: CVE-2023-48741
CVSS Score: 7.2 (High)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/db1bb11d-4752-42d0-b538-2d2a4c827226

Quttera Web Malware Scanner <= 3.4.1.48 – Authenticated (Administrator+) Directory Traversal via ShowFile

Affected Software: Quttera Web Malware Scanner
CVE ID: CVE-2023-6222
CVSS Score: 6.8 (Medium)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a9992d0d-7c6e-4184-8f48-1515d50cc028

Widgets for Google Reviews <= 11.0.2 – Authenticated (Editor+) Arbitrary File Upload

Affected Software: Widgets for Google Reviews
CVE ID: CVE-2023-48275
CVSS Score: 6.6 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/504c0132-530b-4184-b19a-97e68df79b48

UserPro <= 5.1.1 – Sensitive Information Disclosure via Shortcode

Affected Software: UserPro – Community and User Profile WordPress Plugin
CVE ID: CVE-2023-2446
CVSS Score: 6.5 (Medium)
Researcher/s: István Márton
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4072ba5f-6385-4fa3-85b6-89dac7b60a92

UserPro <= 5.1.4 – Missing Authorization to Arbitrary Shortcode Execution via userpro_shortcode_template

Affected Software: UserPro – Community and User Profile WordPress Plugin
CVE ID: CVE-2023-2448
CVSS Score: 6.5 (Medium)
Researcher/s: István Márton
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7cbe9175-4a6f-4eb6-8d31-9a9fda9b4f40

CataBlog <= 1.7.0 – Authenticated (Editor+) Arbitrary File Deletion

Affected Software: CataBlog
CVE ID: CVE-2023-47843
CVSS Score: 6.5 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8794854d-e931-4a85-b767-2ab81bfcb780

Contact Form to Any API <= 1.1.6 – Missing Authorization via delete_cf7_records()

Affected Software: Contact Form to Any API
CVE ID: CVE-2023-47871
CVSS Score: 6.5 (Medium)
Researcher/s: Arvandy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d4a7c647-4c57-499a-8e46-ca273985bd6d

Display Custom Post <= 2.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Display Custom Post
CVE ID: CVE-2023-48317
CVSS Score: 6.4 (Medium)
Researcher/s: Tien fromVNPT-VCI
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/18531eed-3150-424c-970c-5975afe7546a

Bootstrap Shortcodes Ultimate <= 4.3.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Bootstrap Shortcodes Ultimate
CVE ID: CVE-2023-47851
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2e93efec-371c-4050-b24b-e5e978059549

Salient Core <= 2.0.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: salient-core
CVE ID: CVE-2023-48749
CVSS Score: 6.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/316ffb37-47fe-47c4-8a81-5794fa12ce33

Export any WordPress data to XML/CSV < 1.4.1 & WP ALL Export Pro < 1.8.6 – Authenticated (Admin+) Remote Code Execution

Affected Software/s: WP ALL Export Pro, Export any WordPress data to XML/CSV
CVE ID: CVE-2023-4724
CVSS Score: 6.4 (Medium)
Researcher/s: Donato Di Pasquale, Francesco Marano
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/43f976ee-cba7-4f5d-b9c6-a6f66c0011d2

EventPrime – Modern Events Calendar, Bookings and Tickets <= 3.3.2 – Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: EventPrime – Events Calendar, Bookings and Tickets
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5124be64-6679-4dc5-8117-55c73ae91489

Parallax Image <= 1.7.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Parallax Image
CVE ID: CVE-2023-47854
CVSS Score: 6.4 (Medium)
Researcher/s: resecured.io
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/55cd02d1-7b06-427b-840b-3ced73ad4a74

wpForo Forum <= 2.2.3 – Authenticated (Subscriber+) Stored Cross-Site Scripting

Affected Software: wpForo Forum
CVE ID: CVE-2023-47872
CVSS Score: 6.4 (Medium)
Researcher/s: Jesse McNeil
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5607a60e-a04a-4d28-bb04-bdacf8e97c56

Video PopUp <= 1.1.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Video PopUp
CVE ID: CVE-2023-4962
CVSS Score: 6.4 (Medium)
Researcher/s: István Márton
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/670ea03e-2f76-48a4-9f40-bc4cfd987a89

Community by PeepSo <= 6.2.2.0 – Authenticated (Contributor+) Stored Cross-Site Scripting


Easy Social Icons <= 3.2.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: Easy Social Icons
CVE ID: CVE-2023-48336
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ab888ee1-bdc2-4b8b-9b16-a7d146f123df

Drop Shadow Boxes <= 1.7.13 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Drop Shadow Boxes
CVE ID: CVE-2023-5469
CVSS Score: 6.4 (Medium)
Researcher/s: István Márton
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c0b3911c-a960-4f28-b289-389b26282741

GS Team Members <= 2.2.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Team Members – A WordPress Team Plugin with Gallery, Grid, Carousel, Slider, Table, List, and More
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c146f89c-5df3-4aaf-b880-0ce6016dfb6d

myCred <= 2.6.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin
CVE ID: CVE-2023-47853
CVSS Score: 6.4 (Medium)
Researcher/s: Abu Hurayra (HurayraIIT)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c4067e03-427c-4b03-a250-0354572ae361

Perfmatters < 2.2.0 – Authenticated (Subscriber+) Stored Cross-Site Scripting

Affected Software: Perfmatters
CVE ID: CVE-2023-47877
CVSS Score: 6.4 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cc4a7efd-f4f4-44a7-bd55-a6ae3a1d3521

Import Spreadsheets from Microsoft Excel <= 10.1.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Import Spreadsheets from Microsoft Excel
CVE ID: CVE-2023-48289
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d337e39c-3a3d-4465-bc40-77f0b27aeab2

WCFM Marketplace <= 3.6.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: WCFM Marketplace – Best Multivendor Marketplace for WooCommerce
CVE ID: CVE-2023-4960
CVSS Score: 6.4 (Medium)
Researcher/s: István Márton
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f99e9f01-cc98-4af5-bb95-f56f6a550e96

UserPro <= 5.1.1 – Cross-Site Request Forgery via multiple functions

Affected Software: UserPro – Community and User Profile WordPress Plugin
CVE ID: CVE-2023-6008
CVSS Score: 6.3 (Medium)
Researcher/s: István Márton
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ed6e2b9e-3d70-4c07-a779-45164816b89c

UserPro <= 5.1.1 – Cross-Site Request Forgery to Sensitive Information Exposure

Affected Software: UserPro – Community and User Profile WordPress Plugin
CVE ID: CVE-2023-2447
CVSS Score: 6.1 (Medium)
Researcher/s: István Márton
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0372efe4-b5be-4601-be43-5c12332ea1a5

Enfold <= 5.6.4 – Reflected Cross-Site Scripting

Affected Software: Enfold – Responsive Multi-Purpose Theme
CVE ID: CVE-2023-38400
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/100b700f-8812-48be-8a04-28f60a57b35f

Grab & Save <= 1.0.4 – Reflected Cross-Site Scripting

Affected Software: Grab & Save
CVE ID: CVE-2023-47844
CVSS Score: 6.1 (Medium)
Researcher/s: Dimas Maulana
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2baab094-5ece-41a2-821a-b594a2c2327e

Simply Exclude <= 2.0.6.6 – Reflected Cross-Site Scripting

Affected Software: Simply Exclude
CVE ID: CVE-2023-48743
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2f9a3883-9755-4de8-9d60-113238b3c0ac

Perfmatters <= 2.1.6 – Reflected Cross-Site Scripting

Affected Software: Perfmatters
CVE ID: CVE-2023-47876
CVSS Score: 6.1 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/612fb73f-e488-453f-a2a4-32969f91122b

UserPro <= 5.1.0 – Cross-Site Request Forgery to Stored Cross-Site Scripting via userpro_save_userdata

Affected Software: UserPro – Community and User Profile WordPress Plugin
CVE ID: CVE-2023-2438
CVSS Score: 6.1 (Medium)
Researcher/s: István Márton
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7d30adc5-27a5-4549-84fc-b930f27f03e5

Tainacan <= 0.20.4 – Reflected Cross-Site Scripting

Affected Software: Tainacan
CVE ID: CVE-2023-47848
CVSS Score: 6.1 (Medium)
Researcher/s: Dimas Maulana
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7f192811-378b-422d-8086-9a957b464bb7

Events Manager <= 6.4.5 – Reflected Cross-Site Scripting

Affected Software: Events Manager
CVE ID: CVE-2023-48326
CVSS Score: 6.1 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9053cf91-0af1-44f8-9fdf-7ecbd457545b

Salient Core <= 2.0.2 – Reflected Cross-Site Scripting

Affected Software: salient-core
CVE ID: CVE-2023-48748
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b1ae1b28-ea9e-4446-8b03-b5a8eaac1042

eDoc Employee Job Application <= 1.13 – Reflected Cross-Site Scripting

Affected Software: eDoc Employee Job Application – Best WordPress Job Manager for Employees
CVE ID: CVE-2023-48322
CVSS Score: 6.1 (Medium)
Researcher/s: Unknown
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cbfbd7c2-7a46-4292-9173-f90298a7fcc4

Maspik – Spam blacklist <= 0.9.2 – Unauthenticated Stored Cross-Site Scripting via efas_add_to_log

Affected Software: Maspik – Spam Blacklist
CVE ID: CVE-2023-48272
CVSS Score: 6.1 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e8db52ce-fbc3-4fe1-b9b4-cb2ce7d88a67

Community by PeepSo <= 6.2.6.0 – Reflected Cross-Site Scripting

Affected Software: Community by PeepSo – Social Network, Membership, Registration, User Profiles
CVE ID: CVE-2023-48746
CVSS Score: 6.1 (Medium)
Researcher/s: Phd
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fda1be79-ba45-4e8f-bfc3-355f9cdbad82

Yoast SEO <= 21.0 – Authenticated (Seo Manager+) Stored Cross-Site Scripting

Affected Software: Yoast SEO
CVE ID: CVE-2023-40680
CVSS Score: 5.5 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/385a82ff-50ad-4787-845b-fb5f639f6466

Theme My Login 2FA < 1.2 – 2FA Bypass via Brute Force

Affected Software: Theme My Login 2fa
CVE ID: CVE-2023-6272
CVSS Score: 5.4 (Medium)
Researcher/s: Joost Grunwald
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1398e296-9b20-4f8e-85f2-896888abc67e

Porto Theme – Functionality <= 2.11.1 – Missing Authorization

Affected Software: Porto Theme – Functionality
CVE ID: CVE-2023-48739
CVSS Score: 5.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0e1300be-07e3-44b6-9ced-a16825274d22

BlossomThemes Email Newsletter <= 2.2.4 – Missing Authorization

Affected Software: BlossomThemes Email Newsletter
CVE ID: CVE-2023-47849
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1e98b763-29b9-435d-a436-d4df64234b4d

Quttera Web Malware Scanner <= 3.4.1.48 – Sensitive Data Exposure

Affected Software: Quttera Web Malware Scanner
CVE ID: CVE-2023-6065
CVSS Score: 5.3 (Medium)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2163af55-1ea4-4c60-b9f0-baf99297c6bc

Accept Stripe Payments <= 2.0.79 – Unauthenticated Content Injection

Affected Software: Accept Stripe Payments
CVE ID: CVE-2023-48285
CVSS Score: 5.3 (Medium)
Researcher/s: Joshua Chan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2f499d5e-eb27-4611-af27-ac9fd6a9f044

Accept Stripe Payments <= 2.0.79 – Insecure Direct Object Reference

Affected Software: Accept Stripe Payments
CVE ID: CVE-2023-48286
CVSS Score: 5.3 (Medium)
Researcher/s: Joshua Chan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/44d14692-d90a-45f9-afb4-0666ce4b3397

Preloader for Website <= 1.2.2 – Missing Authorization via plwao_register_settings()

Affected Software: Preloader for Website
CVE ID: CVE-2023-48273
CVSS Score: 5.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5cfc38c0-f940-4c4d-ba7b-0d772146ea2d

Hide login page <= 1.1.7 – Login Page Disclosure

Affected Software: Hide login page, Hide wp admin – stop attack on login page
CVE ID: CVE-2023-48335
CVSS Score: 5.3 (Medium)
Researcher/s: Naveen Muthusamy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6d3cff57-ea8a-4082-bc05-d62b9d92f0e6

The Events Calendar <= 6.2.8 – Information Disclosure

Affected Software: The Events Calendar
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8291fd89-aea1-4f7b-abd8-dee8438c3ed5

PayTR Taksit Tablosu <= 1.3.1 – Missing Authorization

Affected Software: PayTR Taksit Tablosu – WooCommerce
CVE ID: CVE-2023-47847
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8bfefe86-b25e-4ffe-9beb-28dc22a99d62

Perfmatters <= 2.1.6 – Missing Authorization

Affected Software: Perfmatters
CVE ID: CVE-2023-47874
CVSS Score: 5.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b078e446-61e7-4ce1-b9a9-480ccc388c72

Captcha Code <= 2.8 – Captcha Bypass

Affected Software: Captcha Code
CVE ID: CVE-2023-48745
CVSS Score: 5.3 (Medium)
Researcher/s: qilin_99
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b1dd3845-a88d-41aa-acf4-66fd1a6819ff

Contact Form Email <= 1.3.41 – Captcha Bypass

Affected Software: Contact Form Email
CVE ID: CVE-2023-48318
CVSS Score: 5.3 (Medium)
Researcher/s: qilin_99
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b637ebfd-c273-428b-985c-6f5b6a03f263

Super Progressive Web Apps <= 2.2.21 – Missing Authorization

Affected Software: Super Progressive Web Apps
CVE ID: CVE-2023-48277
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d36e869a-5bd4-4f59-8e28-01fa586024c5

Maspik – Spam blacklist <= 0.10.1 – Bypass

Affected Software: Maspik – Spam Blacklist
CVE ID: CVE-2023-48271
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f3a8273e-2439-4138-941e-379d130e0c74

Consensu.io <= 1.0.2 – Missing Authorization via update_config_db()

Affected Software: Consensu.io | Conformidade e Consentimento de Cookies para LGPD
CVE ID: CVE-2023-48280
CVSS Score: 5.3 (Medium)
Researcher/s: Skalucy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fc1963cc-7e9e-4998-8338-c3e83b70d441

Autocomplete Location field Contact Form 7 <= 2.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Autocomplete Location field Contact Form 7
CVE ID: CVE-2023-5005
CVSS Score: 4.4 (Medium)
Researcher/s: Bob Matyas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/13fd7509-6d61-4eb0-9f85-cc40e074b819

Video Player <= 1.5.22 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: SpiderVPlayer
CVE ID: CVE-2023-48320
CVSS Score: 4.4 (Medium)
Researcher/s: SeungYongLee
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1627ec2a-f91d-4ed7-acb8-a3fb63b45731

WP Roadmap <= 1.0.8 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: WP Roadmap – Product Feedback Board
CVE ID: CVE-2023-41128
CVSS Score: 4.4 (Medium)
Researcher/s: DoYeon Park (p6rkdoye0n)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/24fc2554-375a-4216-91bf-41921cc4b436

Fast Custom Social Share by CodeBard <= 1.1.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Fast Custom Social Share by CodeBard
CVE ID: CVE-2023-48329
CVSS Score: 4.4 (Medium)
Researcher/s: Song Hyun Bae
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3eece451-65a3-4c9d-a8eb-05f6f3e2d1d5

TriPay Payment Gateway <= 3.2.7 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: TriPay Payment Gateway
CVE ID: CVE-2023-48737
CVSS Score: 4.4 (Medium)
Researcher/s: Luqman Hakim Y
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/946add6f-4cd5-4c55-9399-a782140f217c

Chatbot for WordPress <= 2.3.9 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Chatbot for WordPress ⚡️
CVE ID: CVE-2023-5691
CVSS Score: 4.4 (Medium)
Researcher/s: Huynh Tien Si
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dfd67329-11b1-4f00-a422-bb4833a3181d

Booster for WooCommerce <= 7.1.2 – Missing Authorization to Product Creation/Modification

Affected Software: Booster for WooCommerce
CVE ID: CVE-2023-48747
CVSS Score: 4.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/00ec2f57-48ee-49ea-ae8f-e7b24bf4535c

MyBookTable Bookstore <= 3.3.3 – Cross-Site Request Forgery

Affected Software: MyBookTable Bookstore by Stormhill Media
CVE ID: CVE-2023-48331
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/02b336ce-be41-4343-9817-0437bd2685c2

Auto Affiliate Links <= 6.4.2.5 – Cross-Site Request Forgery

Affected Software: Auto Affiliate Links
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/17453fa5-af14-477b-9b3d-b245511ad8ce

Frontier Post <= 6.1 – Cross-Site Request Forgery

Affected Software: Frontier Post
CVE ID: CVE-2023-6137
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/24ef5844-93d6-4ba3-bd0a-b8837bbd7baf

Mail Bank – #1 Mail SMTP Plugin for WordPress <= 4.0.14 – Missing Authorization

Affected Software: Mail Bank – #1 Mail SMTP Plugin for WordPress
CVE ID: CVE-2023-48332
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/31a3a3c1-be0e-46d5-9fa3-563febc5569b

NextGEN Gallery <= 3.37 – Cross-Site Request Forgery

Affected Software: WordPress Gallery Plugin – NextGEN Gallery
CVE ID: CVE-2023-48328
CVSS Score: 4.3 (Medium)
Researcher/s: Vladislav Pokrovsky (ΞX.MI)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3354b925-2e4a-4ee5-b436-2c1a502b1725

Debug Log Manager <= 2.2.1 – Missing Authorization

Affected Software: Debug Log Manager
CVE ID: CVE-2023-6136
CVSS Score: 4.3 (Medium)
Researcher/s: Dmitrii Ignatyev, Joshua Chan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/33a54cae-0fa3-4c25-bf81-8423f5e01e84

wpForo Forum <= 2.2.5 – Cross-Site Request Forgery via logout()

Affected Software: wpForo Forum
CVE ID: CVE-2023-47870
CVSS Score: 4.3 (Medium)
Researcher/s: Jesse McNeil
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3bce40ee-c378-4a44-9c5d-d83151975309

GS Pins for Pinterest Lite <= 1.8.0 – Missing Authorization via _update_shortcode

Affected Software: WordPress Pinterest Plugin – Make a Popup, User Profile, Masonry and Gallery Layout
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3f81003b-8214-4fa3-960f-81b166623de9

Bulk Comment Remove <= 2 – Cross-Site Request Forgery via brc_admin()

Affected Software: Bulk Comment Remove
CVE ID: CVE-2023-48330
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/42303b60-cbb5-4176-94f9-b2ed29f59cc8

Floating Action Button <= 1.2.1 – Cross-Site Request Forgery

Affected Software: Floating Action Button
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/42b2d840-4e8b-4027-ab3b-78b17c9ed9aa

Availability Calendar <= 1.2.6 – Cross-Site Request Forgery via add_availability_calendar_create_admin_page()

Affected Software: Availability Calendar
CVE ID: CVE-2023-48744
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4b13388b-19f9-4f5c-9599-efd6ccf978c8

WCMultiShipping <= 2.3.5 – Missing Authorization to Log Export

Affected Software: UPS, Mondial Relay & Chronopost for WooCommerce – WCMultiShipping
CVE ID: CVE-2023-48274
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4b19657c-3e95-42cf-8d1a-64fa50b3b82b

Awesome Support <= 6.1.4 – Missing Authorization via wpas_edit_reply_ajax()

Affected Software: Awesome Support – WordPress HelpDesk & Support Plugin
CVE ID: CVE-2023-48324
CVSS Score: 4.3 (Medium)
Researcher/s: thiennv
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4dec91d7-19cf-480d-871c-427cd1e691a6

Awesome Support <= 6.1.4 – Cross-Site Request Forgery via wpas_edit_reply_ajax()

Affected Software: Awesome Support – WordPress HelpDesk & Support Plugin
CVE ID: CVE-2023-48323
CVSS Score: 4.3 (Medium)
Researcher/s: thiennv
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/579b887a-4140-4e12-9a9a-ba52d212b8a2

wpForo Forum <= 2.2.5 – Missing Authorization

Affected Software: wpForo Forum
CVE ID: CVE-2023-47869
CVSS Score: 4.3 (Medium)
Researcher/s: Jesse McNeil
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/71078aaf-9803-4b46-bc94-dbcb43745629

Grab & Save <= 1.0.4 – Cross-Site Request Forgery

Affected Software: Grab & Save
CVE ID: CVE-2023-47845
CVSS Score: 4.3 (Medium)
Researcher/s: Dimas Maulana
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7cd4b1da-faee-4c4e-b323-e77c4c033149

Perfmatters <= 2.1.6 – Cross-Site Request Forgery

Affected Software: Perfmatters
CVE ID: CVE-2023-47875
CVSS Score: 4.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/95f5b4df-5214-4f36-8dd5-a1a816fbc3db

Broken Link Checker for YouTube <= 1.3 – Cross-Site Request Forgery via plugin_settings_page()

Affected Software: Broken Link Checker for YouTube
CVE ID: CVE-2023-48281
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9993d84e-7337-4eda-af3c-039b6d8c8fe6

TextMe SMS <= 1.15.20 – Missing Authorization via tetxme_update_option_page()

Affected Software: TextMe SMS
CVE ID: CVE-2023-48287
CVSS Score: 4.3 (Medium)
Researcher/s: Arvandy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9fb4ad52-a0b2-4645-bf0d-132b4ce8a0a1

Easy Social Feed <= 6.5.1 – Missing Authorization via hide_free_sidebar()

Affected Software: Easy Social Feed – Social Photos Gallery – Post Feed – Like Box
CVE ID: CVE-2023-48740
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a4ffb3ef-9d77-463f-92c4-4bc799ac16aa

Simple Testimonials Showcase <= 1.1.5 – Cross-Site Request Forgery

Affected Software: Simple Testimonials Showcase
CVE ID: CVE-2023-48283
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b6008237-e4a8-4757-ae14-ac20c6f1b0af

ARI Stream Quiz <= 1.2.32 – Cross-Site Request Forgery

Affected Software: ARI Stream Quiz – WordPress Quizzes Builder
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b758c8a7-6220-4b54-af88-7933a530b5ba

Landing Page Builder <= 1.5.1.5 – Open Redirect


HUSKY – Products Filter for WooCommerce (formerly WOOF) <= 1.3.4.2 – Missing Authorization via woof_meta_get_keys()

Affected Software: HUSKY – Products Filter for WooCommerce Professional
CVE ID: CVE-2023-40334
CVSS Score: 4.3 (Medium)
Researcher/s: thiennv
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d00edaf1-2a97-4000-afd9-432ca8fa3df4

Post Meta Data Manager <= 1.2.1 – Cross-Site Request Forgery to Post, Term, and User Meta Deletion

Affected Software: Post Meta Data Manager
CVE ID: CVE-2023-5776
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d49b8c44-4dad-4990-a8a8-116b424a7dfa

Analytify Dashboard <= 5.1.1 – Cross-Site Request Forgery

Affected Software: Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy)
CVE ID: CVE-2023-47841
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d7362f3f-c5d9-4ba0-b9c3-282c58861e2f

Booster for WooCommerce <= 7.1.1 – Missing Authorization to Authenticated (Subscriber+) Order Information Disclosure

Affected Software: Booster for WooCommerce
CVE ID: CVE-2023-48333
CVSS Score: 4.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d94661c1-2d70-4943-9452-b51a76116ebb

WooCommerce Parcel Pro <= 1.6.11 – Cross-Site Request Forgery

Affected Software: Parcel Pro
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dbf54852-f3fe-4c9e-9348-44a73f9a8131

Seraphinite Post .DOCX Source <= 2.16.6 – Cross-Site Request Forgery

Affected Software: Seraphinite Post .DOCX Source
CVE ID: CVE-2023-48279
CVSS Score: 4.3 (Medium)
Researcher/s: Skalucy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dfcc2ab2-504d-4151-9435-618e317ce95c

Taxonomy filter <= 2.2.9 – Cross-Site Request Forgery via taxonomy_filter_save_main_settings()

Affected Software: Taxonomy filter
CVE ID: CVE-2023-48282
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e74ff260-48af-4fc2-80d8-1ff2403f8f33

League Table <= 1.13 – Cross-Site Request Forgery

Affected Software: League Table
CVE ID: CVE-2023-48334
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ef7ec175-cee5-4559-909d-ee689158d67c

Abandoned Cart Lite for WooCommerce <= 5.16.0 – Improper Authorization via wcal_preview_emails

Affected Software: Abandoned Cart Lite for WooCommerce
CVE ID: CVE Unknown
CVSS Score: 3.7 (Low)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4edbfeee-b668-4a85-a030-c15d6583dc82

Abandoned Cart Lite for WooCommerce <= 5.16.0 – Improper Authorization via wcal_delete_expired_used_coupon_code

Affected Software: Abandoned Cart Lite for WooCommerce
CVE ID: CVE Unknown
CVSS Score: 3.1 (Low)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/52d1f9a3-243e-4e2c-a752-f40b6d275121

File Manager <= 6.3 – Authenticated (Admin+) Arbitrary OS File Access via Path Traversal


As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

Did you enjoy this post? Share it!

Comments

No Comments